Notes: Unix Lab 05

  1. ls and permission strings
  2. Directory permissions
  3. The chmod command
  4. The chown command
  5. The chgrp command
  6. The groups command
  7. The umask command
  8. The touch command
  9. Homework
  1. Permission strings and file ownership

    Unix supports three basic access permission attributes: read, write, and execute. There are some additional attributes that can be set but they are less frequently used. For files read access sets the ability for a user to view the contents of a file. Write access controlls the ability to delete or modify the contents of a file. Execute permission determines whether the shell will allow the file to be run as a program.

    For each file there are three sets of permissions: user, group, others (or "world"). The user permissions determines the access for the user account running the shell. The group permissions sets access for user accounts that are a member of the file's group. The permissions for others controlls access for any user account that is not the owner and is not a member of the file's group.

    The long listing from the ls displays the permission strings for user, group and others. An example:
     
    tuckerm@platypus:~> ls -l start-vnc.sh 
    -rwxr-x---  1 tuckerm tuckerm 777 Nov  7 14:09 start-vnc.sh*
    tuckerm@platypus:~>
    

    The permissions are listed in the first block of characters from the output of the long listing (ls -l). See the highlighted section below:

    -rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txt
    The first character, in this case the dash "-", designates the file type (regular file, link, directory, etc.). The following section is comprised of three groups of three characters. The first three characters display the current permissions relative to the owner of the file:
    -rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txt
    The group permissions are displayed in the next three characters:
    -rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txt
    The final three characters show the permissions for all other users on the system ("world") which are not the owner or a member of the file's group:
    -rwxrwxrwx 1 owner group 1254 Apr 1 14:09 some_file.txt
    Each block of three characters will be ordered as "rwx". The "r" designates that the user,group or other has read access to the file. This controlls the ability to view the contents of the file itself. If read access is not allowed there will be a dash ("-") character in its place. The "w" character designates whether the user, group or world has write access to the file. Write access allows the contents of the file to be modified and also controls the ability to delete the entire file. If write access is not allowed there will be a dash ("-") character in its place. The final character, "x", shows the execute permissions for the file. In unix the ability to execute a file as a program is not dependent on the file name or extension as it is in Windows/DOS. The execute permissions determine if the file may be executed. Even though a file may have execute permissions does not mean that the file will do anything meaningful when the shell attempts to run it. If execute access is not allowed there will be a dash ("-") character in its place.

    Some examples:

    -rw-r----- 1 tuckerm users 1254 Apr 1 14:09 some_file.txt
    In the above example the user, tuckerm, has permission to read the file some_file.txt along with permission to modify or delete the file. Members of the group "users" may read the contents of the file but cannot change or delete the file. All other users will be denied access to the file. Nobody may execute the file as a program.

    -r--rw-r-- 1 tuckerm users 1254 Apr 1 14:09 some_file.txt
    In this example the user, tuckerm, can only read the file - even if they were a member of the "users" group. All other members of the group "users" may read and change/delete the file. Anyone else on the system is only allowed to read the file.

  2. Directory Permissions

    Permissions on directories are defined in the same way as regular files but their meaning is slightly different.
        r   Allows the user, group or world to view the contents of a
            directory.     
    
        w   Allows the user, group or world to create or delete files
            within the directory.
    
        x   Allows the user, group or world to access (cd) the directory but 
            does not necessarily allow the user to read a listing of files
    	within the directory (unless the "r" attribute is
            set).
        
    These permissions only apply to the current directory and will not apply to any subdirectories.

  3. Changing permissions with chmod

    The utility chmod is used to change the permissions on a file or directory. The command accepts two (or more) options:
    chmod <permissions> <file or directory>
    Permissions are defined by who the permission applies to, wheter the permission is added or removed, and what access permission is being designated.
        u  user permissions (owner)
        g  group permissions
        o  permissions for all others (world)
        a  permissions for all users (u,g and o)
        
    The access permissions are designated with the same characters as were used in the long listing output:
        r  read permission
        w  write permission
        x  execute permission
        
    Below is an example of allowing read permissions for all group members of a file:
     
    tuckerm@apollo:~> 
    tuckerm@apollo:~> chmod g+r somefile.txt
    tuckerm@apollo:~> 
    

    Another example removing write access for all users and adding read access for the world:
     
    tuckerm@apollo:~> 
    tuckerm@apollo:~> chmod a-w,o+r somefile.txt
    tuckerm@apollo:~> 
    

    An example of giving full access to the owner of the file
     
    tuckerm@apollo:~> 
    tuckerm@apollo:~> chmod u+rwx somefile.txt
    tuckerm@apollo:~> 
    

    An example of removing all access for the group and world for the file
     
    tuckerm@apollo:~> 
    tuckerm@apollo:~> chmod go-rwx somefile.txt
    tuckerm@apollo:~> 
    

    There is a second way of specifying the permissions to update with chmod using a numeric representation of the file's permissions. An exmaple of this:

    chmod 0750 somefile.txt
    In this example the permissions are broken down into numeric values. The first digit is used to specify any special permission (sticky bit, setuid, etc.) or the type of entity (directory, file, link, etc). See the man page for chmod). For most common usage the first digit can be ignored. Following this first digit, the first set of 3 digits specifies the user permissions (owner). The second set of 3 is for group permissions and the third set is for other (world) permissions. Within each set of 3 digits:
        1  x  execute permissions
        2  w  write permissions
        4  r  read permissions
        
    The numeric values for each access attribute are added up and applied to the appropriate digit. For example, to set read and write access (but not execute) to a give entity the value for read access (4) would be added to the value for write (2) and would be 6. Therefore, to set read & write permissions for the user and group but read-only for all others would be specified as 0664.
    accessusergroupothers
    read (r)444
    write (w)220
    execute (x)000
    Total664

    Some examples of equivalent commands starting with the numeric method:
     
    tuckerm@apollo:~> ls -l some-file.txt
    ----------    1 tuckerm  students        0 Feb  1 17:11 some-file.txt
    tuckerm@apollo:~> chmod 0754 some-file.txt
    tuckerm@apollo:~> ls -l some-file.txt
    -rwxr-xr--    1 tuckerm  students        0 Feb  1 17:11 some-file.txt*
    tuckerm@apollo:~>
    

    The same operation using the symbolic notation:
     
    tuckerm@apollo:~> ls -l some-file.txt
    ----------    1 tuckerm  students        0 Feb  1 17:11 some-file.txt
    tuckerm@apollo:~> chmod u+rwx,g+rx,o+r some-file.txt 
    tuckerm@apollo:~> ls -l some-file.txt
    -rwxr-xr--    1 tuckerm  students        0 Feb  1 17:11 some-file.txt*
    tuckerm@apollo:~> 
    

  4. The chown command

    The chown command is used by the system administrator (root) to change the ownership of a file. As a user this command will not be able to do anything:
     
        
    root@platypus:~# chown tuckerm labrun.test
    

  5. The chgrp command

    This command allows the user to change the group for a specified file or directory. A user may only change the group of a file to a group which the user account is a member of. chgrp accepts two arguements. The first is the name of the group to change to. The second is the file or directory to make the change to. An example:
     
        
    tuckerm@apollo:~> ls -l start-vnc.sh 
    -rwxr-x---    1 tuckerm  tuckerm       777 Nov  7 14:09 start-vnc.sh*
    tuckerm@apollo:~> chgrp faculty start-vnc.sh 
    tuckerm@apollo:~> ls -l start-vnc.sh
    -rwxr-x---    1 tuckerm  faculty       777 Nov  7 14:09 start-vnc.sh*
    tuckerm@apollo:~>
    

  6. The groups command

    The groups command simply lists all the groups that the current user is a member of. Example:
     
    tuckerm@platypus:~> groups
    tuckerm student10 faculty
    tuckerm@platypus:~>
    

  7. umask

    The umask is often a command that is built in to the shell. It is used to define the default permissions for newly created files when using the shell. Generally this default will be set by the system administrator. Sometimes it is beneficial to set this to some other value depending on how secure or open operations need to be. The command takes one argument which is the numeric value of what the mask should be. It uses the inverse of the numeric permission string (see chmod) to define the default permissions. So, if new file permissions are to be set as 0777, then a umask of 000 would be appropriate. To restrict all world access to new files the umask should be set to 007 (newly created files would have permissions of 0770).
     
    tuckerm@apollo:~> touch newfile
    tuckerm@apollo:~> ls -l newfile 
    -rw-rw-r--    1 tuckerm  tuckerm         0 Feb  1 17:41 newfile
    tuckerm@apollo:~> umask 0777
    tuckerm@apollo:~> touch another_file
    tuckerm@apollo:~> ls -l another_file
    ----------    1 tuckerm  tuckerm         0 Feb  1 17:41 another_file
    tuckerm@apollo:~> umask 0037
    tuckerm@apollo:~> touch last_file
    tuckerm@apollo:~> ls -l last_file
    -rw-r-----    1 tuckerm  tuckerm         0 Feb  1 17:42 last_file
    tuckerm@apollo:~>
    

  8. touch

    The touch command is used to create a new, empty file or to modify the date and time of an existing file. If the file exists touch will update the modification time of the file with the current time. Below is an example of creating an empty file and then updating its modification time:
     
    tuckerm@apollo:~> ls -l some-file.txt
    /usr/bin/ls: some-file.txt: No such file or directory
    tuckerm@apollo:~> date
    Tue Feb  1 17:09:06 GMT 2005
    tuckerm@apollo:~> touch some-file.txt
    tuckerm@apollo:~> ls -l some-file.txt
    -rw-rw-r--    1 tuckerm  tuckerm         0 Feb  1 17:09 some-file.txt
    tuckerm@apollo:~> 
    tuckerm@apollo:~> date
    Tue Feb  1 17:11:53 GMT 2005
    tuckerm@apollo:~> touch some-file.txt
    tuckerm@apollo:~> ls -l some-file.txt
    -rw-rw-r--    1 tuckerm  tuckerm         0 Feb  1 17:11 some-file.txt
    tuckerm@apollo:~>
    

  Homework